msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V9.14.000.2026.06.07
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-07 15:46:30 +01:00
parent aa94c53d65
commit 261d770e42
54 changed files with 515 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ body:
attributes: attributes:
label: "Version" label: "Version"
description: "Which version are you running? Use `./setup.sh -v`." description: "Which version are you running? Use `./setup.sh -v`."
placeholder: "e.g., Master V8.00.000.2025.06.17" placeholder: "e.g., Master V9.14.000.2026.06.07"
validations: validations:
required: true required: true
.gitea/trigger/t_generate_dns.yaml
+1 -1
View File
@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.00.000.2025.06.17 version: V9.14.000.2026.06.07
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/linter_char_scripts.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17 ### Version Master V9.14.000.2026.06.07
# Gitea Workflow: Shell-Script Linting # Gitea Workflow: Shell-Script Linting
# #
.gitea/workflows/render-dnssec-status.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17 ### Version Master V9.14.000.2026.06.07
name: 🛡️ Retrieve DNSSEC status of coresecret.dev. name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
.gitea/workflows/render-dot-to-png.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17 ### Version Master V9.14.000.2026.06.07
name: 🔁 Render Graphviz Diagrams. name: 🔁 Render Graphviz Diagrams.
.preseed/SECRETS.yaml
+2 -2
View File
@@ -11,7 +11,7 @@
# #
# #
# This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
# Master V8.00.000.2025.06.17 # Master V9.14.000.2026.06.07
# YAML specification: 1.2 # YAML specification: 1.2
# #
secrets: secrets:
@@ -19,7 +19,7 @@ secrets:
created_at: "2025-10-23" created_at: "2025-10-23"
created_for: "host_domain_tld" created_for: "host_domain_tld"
name: "CISS.debian.installer" name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17" version: "V9.14.000.2026.06.07"
x_files: "false" x_files: "false"
################################################################################################################################ ################################################################################################################################
# Grub bootloader passphrase # Grub bootloader passphrase
.preseed/preseed.yaml
+2 -2
View File
@@ -11,7 +11,7 @@
%YAML 1.2 %YAML 1.2
--- ---
# This file contains configurations for the CISS.debian.installer # This file contains configurations for the CISS.debian.installer
# Master V8.00.000.2025.06.17 # Master V9.14.000.2026.06.07
# YAML specification: 1.2 # YAML specification: 1.2
# #
preseed: preseed:
@@ -19,7 +19,7 @@ preseed:
created_at: "2025-10-23" created_at: "2025-10-23"
created_for: "host_domain_tld" created_for: "host_domain_tld"
name: "CISS.debian.installer" name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17" version: "V9.14.000.2026.06.07"
# #
################################################################################################################################ ################################################################################################################################
# APT settings # APT settings
.version.properties
+2 -2
View File
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.installer" properties_SPDX-PackageName="CISS.debian.installer"
properties_SPDX-Security-Contact="security@coresecret.eu" properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.00.000.2025.06.17" properties_version="V9.14.000.2026.06.07"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
AGENTS.md
+153
View File
@@ -0,0 +1,153 @@
# AGENTS.md
## Purpose
This repository builds and maintains CISS.debian.installer, a script-driven Debian installer for hardened and reproducible
system installation workflows.
Treat every change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive. Persistent coding details live
in `docs/CODING_CONVENTION.md`. Review-only instructions live in `code_review.md`.
## Instruction precedence for this repository
Use this order when instructions differ:
1. The current task prompt defines the immediate objective and task-specific acceptance criteria.
2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
4. `code_review.md` applies when performing a review or final self-review.
5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
When instructions conflict, prefer the safer, smaller, more easily reviewable change and explain the conflict.
## Non-negotiable constraints
- Target Debian 13 Trixie unless the task or repository explicitly states otherwise.
- Do not introduce Ubuntu-specific assumptions.
- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream
tool behavior.
- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
- Preserve encrypted-root and boot-chain security assumptions unless the task explicitly changes them.
- Preserve existing module source guards, especially `guard_sourcing`, `source_guard`, and `readonly -f` conventions.
- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps from modules or runtime scripts.
- Prefer simple, explicit, inspectable Bash over clever abstraction.
- Do not use `eval`.
- Do not print secrets, passphrases, private keys, tokens, or sensitive environment values.
- Do not perform destructive disk operations in validation unless explicitly requested and safely isolated.
## Repository map
Common areas:
- `ciss_debian_installer.sh`: primary installer entrypoint and phase orchestration.
- `meta_loader_*.sh`: ordered module, library, and variable sourcing.
- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer configuration, partition recipes,
and secret input material.
- `var/*.sh`: global variables, colors, terminal settings, and error codes.
- `lib/cdi_0000_preliminary/*`: contact, usage, and version helpers.
- `lib/cdi_0005_guard/*`: sourcing, source-guard, safe-execution, directory, and variable guards.
- `lib/cdi_0010_basic/*`, `lib/cdi_0025_logging/*`, `lib/cdi_0030_checks/*`, `lib/cdi_0050_debug/*`,
`lib/cdi_0060_traps/*`: basic helpers, logging, package/git checks, debug support, and traps.
- `lib/cdi_0100_arg/*`, `lib/cdi_0110_interactive/*`, `lib/cdi_0200_dialog/*`: argument handling and interactive dialogs.
- `func/cdi_1000_helper/*`: chroot helpers, GRUB helpers, module helpers, sanitizers, secure downloads, and YAML helpers.
- `func/cdi_1200_validation/*`, `func/cdi_1250_yaml/*`: validation and preseed/YAML processing.
- `func/cdi_3200_partitioning/*`: destructive partitioning, LUKS setup, formatting, mounting, and UUID logging.
- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, and base target setup.
- `func/cdi_4100_base/*`: APT sources, kernel, initramfs, systemd, firmware, and base package setup.
- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup, GRUB, GRUB password, and boot parameter handling.
- `func/cdi_4300_network/*`: network setup, Dropbear initramfs remote unlock, initramfs updates, and SSH setup.
- `func/cdi_4400_hardening/*`, `func/cdi_4500_user/*`, `func/cdi_4600_packages/*`: hardening, account setup, package
installation, security verification, and auditing packages.
- `func/cdi_4900_xtended/*`, `func/cdi_5000_recovery/*`: final commands, logrotate, chroot exit, and recovery target handling.
- `includes/target/*`: files installed into the target system, including initramfs-tools hooks, scripts, Dropbear unlock
files, GRUB assets, SSH, OpenSSL, sysctl, modprobe, PAM, and profile configuration.
- `includes/chroot/hooks/*`: hook payloads copied into or executed inside the target environment.
- `upgrades/*`: vendored or upgrade-related materials for Dropbear, Linux image options, and Secure Boot work.
- `py/*`: Python-based configurator support.
- `docs/*`, `.gitea/workflows/*`: project documentation and repository automation.
## Working method
Before editing:
1. Inspect the relevant scripts, configuration files, documentation, workflows, and naming conventions.
2. Identify the affected installer phase: host orchestration, YAML/preseed handling, destructive disk setup, target chroot,
initramfs, bootloader, network/Dropbear, hardening, user setup, package installation, finalization, or recovery.
3. Check existing source guards, trap behavior, logging, secret handling, and helper APIs before changing code.
4. Give a concise implementation plan and list likely files to touch unless the change is trivial.
While editing:
- Keep changes minimal and local to the task.
- Preserve existing architecture, naming style, error handling, formatting, and security posture.
- Do not perform unrelated cleanup or formatting churn.
- Reuse existing helpers for logging, fatal errors, validation, source guards, chroot execution, secure downloads, temporary
files, and secret cleanup where available.
- Prefer arrays for command argument composition.
- Do not introduce new runtime dependencies unless technically necessary and justified.
After editing:
- Run only the narrowest checks that prove the change.
- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
- Changed POSIX shell files: run `sh -n <file>`.
- Changed CLI behavior: update `usage()` and relevant documentation, then run the safest available parser/help check if the
environment permits it.
- Changed Python files: run the relevant checks configured under `py/` when applicable.
- Changed installer, disk, initramfs, cryptsetup, GRUB, or Dropbear behavior: state the required Debian 13 Trixie validation
command or isolated test, but do not run destructive or full installer validation unless explicitly requested.
- For documentation-only changes, confirm the target files exist and review the final diff.
## Bash conventions summary
See `docs/CODING_CONVENTION.md` for details.
- Use Bash for installer logic unless an existing Debian interface file must remain POSIX shell.
- Preserve module source guards and `readonly -f` usage where surrounding files use them.
- Prefer strict Bash mode where feasible and consistent with the file's execution context.
- Use `declare` for variables inside functions.
- Quote expansions unless word splitting or globbing is explicitly required.
- Prefer arrays where argument boundaries matter.
- Use `[[ ... ]]`, `case`, and `$(...)`.
- Avoid parsing `ls`; prefer structured tool output or existing helpers.
- Prefer `command -v` over `which`.
- Code comments must be in English.
## Security-sensitive areas
Before finalizing a change, check whether it affects:
- disk wiping, partition table creation, partition type codes, or filesystem formatting
- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS header backups, or nuke behavior
- Btrfs subvolumes, mount ordering, mount options, snapshots, or labels
- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, or mapper names
- initramfs-tools hooks, scripts, included binaries, or early boot behavior
- Dropbear initramfs remote unlock, forced commands, firewalling, host keys, unlock wrapper signatures, or hashes
- GRUB installation, GRUB modules, encrypted `/boot`, UEFI/BIOS paths, NVRAM handling, or Secure Boot material
- chroot command execution, mount propagation, target/root separation, or environment sanitization
- APT sources, package authentication, TLS, signatures, checksums, or remote downloads
- account setup, SSH policy, PAM, sudo, permissions, hardening files, or network exposure
- logging, debug tracing, traps, cleanup paths, or exposure of sensitive values
If affected, document the concrete risk and mitigation in the final response.
## Validation policy
Use the narrowest validation that proves the requested change. Do not run full installer builds, debootstrap runs, live disk
tests, destructive partitioning, broad repository audits, or network-heavy validation unless the task explicitly asks for them
or the change cannot be validated responsibly without them.
## Final response
Return a concise implementation report:
- changed files
- what changed
- checks run and result
- real remaining risks or follow-up steps
Do not claim success for checks that were not run.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
CISS.debian.installer.spdx
+2 -2
View File
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-06-17T12:00:00Z Created: 2025-06-17T12:00:00Z
Package: CISS.debian.installer Package: CISS.debian.installer
PackageName: CISS.debian.installer PackageName: CISS.debian.installer
PackageVersion: Master V8.00.000.2025.06.17 PackageVersion: Master V9.14.000.2026.06.07
PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer
@@ -20,4 +20,4 @@ License: LicenseRef-CCLA-1.0
LicenseID: LicenseRef-CCLA-1.0 LicenseID: LicenseRef-CCLA-1.0
LicenseName: Centurion Commercial License Agreement 1.0 LicenseName: Centurion Commercial License Agreement 1.0
LicenseCrossReference: https://coresecret.eu/imprint/licenses/ LicenseCrossReference: https://coresecret.eu/imprint/licenses/
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
README.md
+7 -6
View File
@@ -2,7 +2,7 @@
gitea: none gitea: none
include_toc: true include_toc: true
--- ---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.00.000.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer) [![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.000.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,9 +11,10 @@ include_toc: true
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -25,8 +26,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on
the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much
docs/AUDIT_DNSSEC.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. DNSSEC Status # 2. DNSSEC Status
docs/AUDIT_TLS.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. TLS Audit: # 2. TLS Audit:
docs/CHANGELOG.md
+3 -3
View File
@@ -7,12 +7,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Changelog # 2. Changelog
## V8.00.000.2025.06.17 ## V9.14.000.2026.06.07
* Initial Release * Initial Release
docs/CNET.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Centurion Net - Developer Branch Overview # 2. Centurion Net - Developer Branch Overview
docs/CODING_CONVENTION.md
+179 -63
View File
@@ -7,84 +7,200 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Coding Style # 2. Purpose
## 2.1. PR This document defines detailed coding conventions for CISS.debian.installer. `AGENTS.md` is the short operational guide for
Codex. `code_review.md` is used for review tasks and final self-review.
You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR. The repository implements a Bash-first Debian installer for hardened, reproducible system installation workflows. Treat every
change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive, especially changes affecting partitioning,
LUKS, Btrfs, initramfs, Dropbear remote unlock, GRUB, package sources, signatures, checksums, hardening settings, or logs.
## 2.2 Documentation # 3. Change discipline
Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in - Keep changes small, local, and reviewable.
`~/docs/DOCUMENTATION.md`. - Make one functional change per patch set.
- Preserve existing architecture, naming style, error handling, formatting, and security posture.
- Target Debian 13 Trixie unless the task or repository explicitly states otherwise.
- Do not introduce Ubuntu-specific assumptions.
- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream
tool behavior.
- Verify uncertain behavior against repository code or authoritative upstream documentation.
- Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification,
checksum verification, provenance verification, or input validation unless explicitly requested and documented.
- Do not perform unrelated cleanup or formatting churn.
## 2.3. Coding # 4. Installer phase awareness
### 2.3.1. Shell / bash Identify the affected phase before changing behavior:
Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of - `ciss_debian_installer.sh`: host-side entrypoint, root/Bash checks, lock handling, trap activation, and phase order.
neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there. - `meta_loader_*.sh`: ordered sourcing of variables, functions, and libraries via `source_guard`.
- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer settings, partition recipes, and
secret material.
- `lib/cdi_0100_arg/*`: CLI argument sanitation, parsing, priority handling, and passphrase-module argument support.
- `func/cdi_1200_validation/*` and `func/cdi_1250_yaml/*`: element, IP, preseed, YAML, and secret validation.
- `func/cdi_3200_partitioning/*`: destructive disk wiping, partition creation, LUKS setup, formatting, mount ordering, and UUID
logging.
- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, base target setup, hostname, resolver, timezone, and
locale setup.
- `func/cdi_4100_base/*`: APT source generation, updates, kernel/initramfs installation, toolset, systemd, machine-id,
firmware, microcode, Chrony, and base packages.
- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup-initramfs, GRUB installation, GRUB password, and boot parameters.
- `func/cdi_4300_network/*`: target networking, network security, Dropbear build/initramfs/setup, initramfs update, and SSH.
- `func/cdi_4400_hardening/*`: kernel modules, sysctl, fail2ban, filesystem permissions, entropy, memory, OpenSSL, UFW, USB,
and malware-auditing hardening.
- `func/cdi_4500_user/*`: account preparation, password policy, user setup, SSH keys, privileges, and timing fields.
- `func/cdi_4600_packages/*`: package installation, security profile installation, verification, and auditing packages.
- `func/cdi_4900_xtended/*`: final commands, logrotate setup, and target chroot exit.
- `func/cdi_5000_recovery/*`: recovery target debootstrap and finalization when recovery is enabled.
- `includes/target/*`: files installed into the target system, including initramfs-tools hooks/scripts/files and service
configuration.
- `includes/chroot/hooks/*`: chroot hook payloads.
- `upgrades/*`: vendored upgrade/build material for Dropbear, Linux image options, and Secure Boot work.
- `py/*`: Python configurator support.
* Don't use backticks anymore, use `$(..)` instead Keep host-side behavior, target chroot behavior, initramfs behavior, and bootloader behavior separate.
* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
quote at all.
* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
slower as it forks, fopens and pipes back the result.
* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
* Bash can also deal perfectly with regular expressions, see
e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
achieve the same with e.g. `awk`.
* Be careful with very advanced bash features. Mac OS X is still using bash version 3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
* Always use a return value for a function/method. 0 means all is fine.
* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
### 2.3.2. Shell specific # 5. Bash baseline
* Security: - Use Bash for installer logic and orchestration.
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted. - Use POSIX shell only where an existing Debian interface file requires it, such as an initramfs hook or script that already
* Unless you're really sure where the values come from, variables need to be put in quotes. declares `#!/bin/sh`.
- The main installer requires Bash 5.1 or newer; do not add compatibility code for older Bash versions unless explicitly
requested.
- Prefer `set -Ceuo pipefail` for executable Bash scripts where feasible. In sourced modules, preserve the caller's shell
option and trap model unless the surrounding code already changes it intentionally.
- Preserve `guard_sourcing || return "${ERR_GUARD_SOURCE}"` in sourced modules that use it.
- Preserve `source_guard`-based module loading.
- Preserve `readonly -f` on functions where surrounding files use it.
- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps. Coordinate any trap change with `lib/cdi_0060_traps/*` and
initramfs runtime scripts.
### 2.3.3. Variables # 6. Bash style
* Use **"speaking variables"** but don't overdo it with the length. - Quote expansions unless word splitting or globbing is explicitly required.
* No _camelCase_, please. We distinguish between lowercase and uppercase only. - Prefer arrays for commands and options.
* Global variables: - Use `[[ ... ]]` for Bash conditionals.
* use them only when really necessary, - Use `case` for option dispatch and multi-branch string handling.
* in CAPS, - Use `$(...)` command substitution, not backticks.
* initialize them (`declare -g VAR_EXAMPLE=""`), - Do not use `eval`.
* SHOULD start with: - Avoid parsing `ls`.
* `ARY_` for Arrays, - Prefer `command -v` over `which`.
* `C_` for Variables defining colored outputs, - Check command results explicitly when failure needs custom logging or cleanup.
* `ERR_` for Error Codes Variables, - Keep functions small enough to review.
* `HMP_` for HashMap Arrays, - End functions explicitly with `return 0` where consistent with surrounding code.
* `LOG_` for Logfile Variables, - Use English comments. Comment non-obvious security, disk, cryptographic, initramfs, or boot-chain decisions.
* `PID_` for PID Variables,
* `PIPE_` for PIPE Variables,
* `VAR_` for Variables
* Local variables:
* are lower case,
* declare them before usage (`declare` eq `local`),
* initialize them (`declare var_example=""`),
* SHOULD start with:
* `ary_` for Arrays,
* `c_` for Variables defining colored outputs,
* `err_` for Error Codes Variables,
* `hmp_` for HashMap Arrays,
* `log_` for Logfile Variables,
* `var_` for Variables.
# 3. Misc # 7. Variables and naming
* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected. Follow the existing repository naming style:
- Global variables are uppercased and initialized before use.
- Global arrays and maps use established prefixes such as `ARY_`, `HMP_`, `C_`, `ERR_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`.
- Local variables are lowercase and initialized before use.
- Local arrays and helper variables use established prefixes such as `ary_`, `hmp_`, `c_`, `err_`, `log_`, and `var_`.
- Use `declare` consistently with surrounding files.
- Function names use lowercase words separated by underscores.
- Avoid new global variables when an argument, local variable, or existing helper is sufficient.
- Keep Boolean-like values normalized where existing code expects lowercase strings.
# 8. Input validation, secrets, and files
- Treat CLI arguments, YAML values, environment variables, generated paths, network data, package metadata, and user-provided
files as untrusted until validated.
- Validate disk names, partition numbers, mount paths, filesystem names, Debian suites, architecture names, ports, IP
addresses, package names, URLs, feature flags, and file paths before use.
- Fail closed when validation cannot prove that continuing is safe.
- Do not print secrets, passphrases, private keys, tokens, decrypted SOPS values, or sensitive environment values.
- Keep debug tracing disabled around secret handling unless the local guard explicitly protects sensitive values.
- Use restrictive permissions for generated key material, passphrase files, LUKS header backups, SSH material, and root-only
configuration.
- Prefer `mktemp` for temporary files and clean them up with existing cleanup or trap helpers.
- Preserve existing secure deletion helpers where used for passphrase or key material.
- Do not add a persistent state unless the behavior is intentional, scoped, and documented.
# 9. Disk, partitioning, and cryptsetup safety
- Treat changes under `func/cdi_3200_partitioning/*` as destructive by default.
- Never run partitioning, formatting, LUKS, `blkdiscard`, `sgdisk --zap-all`, or `dd` validation on a real device unless the
task explicitly requests it, and the target is safely isolated.
- Preserve explicit device scoping from `.preseed/partitioning.yaml`.
- Preserve udev settling and UUID/PARTUUID collection where disk identity is needed by later phases.
- Preserve LUKS2 defaults and stronger cryptographic settings unless the task explicitly changes them.
- Do not weaken PBKDF, cipher, hash, key size, integrity, discard, or keyslot behavior without documenting the risk.
- Preserve the special handling for encrypted `/boot`, root, recovery, ephemeral `SWAP`, and ephemeral `/tmp`.
- Keep LUKS header backups encrypted when backup behavior is enabled and remove plaintext backup material after encryption.
- Keep `/etc/fstab` and `/etc/crypttab` generation consistent with mapper names, UUIDs, PARTUUIDs, filesystem types, and mount
options.
- Preserve Btrfs subvolume and snapshot semantics when changing Btrfs mount or formatting logic.
# 10. Chroot, target, and boot-chain safety
- Use `chroot_exec` for simple command execution in the target.
- Use `chroot_script` or `chroot_stdin` for shell constructs, redirection, pipelines, loops, or larger payloads.
- Preserve the sanitized `env -i` target environment unless a task explicitly requires a new variable.
- Do not leak host paths or host environment assumptions into the target system.
- Preserve target mount setup and teardown behavior.
- Keep initramfs-tools hooks and scripts in their expected directories; do not add ad-hoc phase arguments.
- Preserve Dropbear initramfs forced-command, unlock-wrapper integrity checks, signature verification, and nuke behavior.
- Preserve GRUB support for encrypted boot paths, and the repository's UEFI/BIOS handling unless explicitly changed.
- Do not change UEFI NVRAM behavior or fallback boot paths without documenting the boot-chain impact.
# 11. Dependencies and downloads
- Do not add new runtime dependencies unless the task requires them.
- Prefer standard Debian tooling or existing project helpers.
- When a dependency is needed, document why the existing toolchain, or a standard alternative is insufficient.
- Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification.
- For required downloads, use HTTPS where applicable and preserve or add signature, checksum, or provenance verification.
- Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content.
- Preserve package authentication and APT source integrity checks.
# 12. Documentation rules
- Update documentation together with behavior changes.
- New or changed CLI options must update `usage()` and relevant documentation.
- New or changed YAML/preseed keys must update the relevant `.preseed` example or project documentation.
- Boot parameter changes must update `docs/man/BOOTPARAMS.md` when applicable.
- Security-sensitive behavior changes must update the relevant manual, audit, or security documentation when applicable.
- Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release.
- Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English.
# 13. Formatting
- Preserve SPDX headers and existing file headers where present.
- New source or configuration files should include the project SPDX header when comparable files already use one.
- Follow `.editorconfig`: LF line endings, UTF-8, two-space indentation for most repository files, four-space indentation for
Python, and readable line lengths.
- Preserve the local Vim modeline style in source/config files where neighboring files use it.
- Keep Markdown concise and structured. Avoid decorative text that does not define repository behavior.
- Do not churn formatting unrelated to the task.
# 14. Narrow validation policy
Run only the narrowest checks that prove the change:
- Bash files: `bash -n <file>` and `shellcheck <file>` when ShellCheck is available.
- POSIX shell files: `sh -n <file>`.
- CLI or parser changes: the safest available help/parser check, if the environment permits it without performing installer
actions.
- YAML/preseed changes: parse or validate the changed file with repository tooling if a cheap parser or validator is present.
- Python files: run the relevant checks configured under `py/`, such as Ruff, mypy, or pytest, when applicable.
- Documentation-only changes: confirm the target files exist, check the final diff, and run Markdown linting only when the
repository has a cheap configured Markdown lint command.
Do not run full installer builds, debootstrap, destructive disk tests, broad repository audits, or network-heavy validation
unless explicitly requested or technically required to validate the change.
If a relevant check cannot be run, state the exact reason, and the command that should be run locally.
# 15. Code review
Reviews follow `code_review.md`.
--- ---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
docs/CONTRIBUTING.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Contributing / participating # 2. Contributing / participating
docs/CREDITS.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Credits # 2. Credits
docs/DOCUMENTATION.md
+3 -3
View File
@@ -7,13 +7,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Usage # 2. Usage
````text ````text
CISS.debian.installer CISS.debian.installer
Master V8.00.000.2025.06.17 Master V9.14.000.2026.06.07
(c) Marc S. Weidner, 2018 - 2025 (c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025 (p) Centurion Press, 2024 - 2025
docs/MANPAGES.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. ToC # 2. ToC
docs/REFERENCES.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Resources # 2. Resources
docs/man/BOOTPARAMS.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Hardened Kernel Boot Parameters # 2. Hardened Kernel Boot Parameters
docs/man/DEBUG_HANDLING.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Debugging and Tracing Infrastructure # 2. Debugging and Tracing Infrastructure
docs/man/ERROR_HANDLING.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Global Environment and Error Handling in CISS.debian.installer # 2. Global Environment and Error Handling in CISS.debian.installer
docs/man/LINTER_CHAR.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Git Workflow Linter — Character Set Policy Enforcement # 2. Git Workflow Linter — Character Set Policy Enforcement
docs/man/TRAP_MECHANISM.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Interplay Between Global Hardening Settings and TRAP Mechanisms # 2. Interplay Between Global Hardening Settings and TRAP Mechanisms
func/cdi_1000_helper/README/README_1080.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh) # 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh)
**Scope:** This note explains *what to use when* among **Scope:** This note explains *what to use when* among
func/cdi_4000_debootstrap/README/README_4000.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. [4000_debootstrap.sh](../4000_debootstrap.sh) # 2. [4000_debootstrap.sh](../4000_debootstrap.sh)
This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`. This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`.
func/cdi_4100_base/4150_installation_chrony.sh
+1 -1
View File
@@ -13,7 +13,7 @@
guard_sourcing || return "${ERR_GUARD_SOURCE}" guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Setup chrony NTPSec client. # Set up chrony NTPSec client.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No' # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage: # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
func/cdi_4300_network/4310_dropbear_build.sh
+1 -1
View File
@@ -26,7 +26,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
dropbear_build() { dropbear_build() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_dropbear_version="2025.88" declare var_dropbear_version="2026.91"
declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}" declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log" declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"
func/cdi_4300_network/4311_dropbear_initramfs.sh
+1 -1
View File
@@ -44,7 +44,7 @@ dropbear_initramfs() {
chroot_script "${var_target}" " chroot_script "${var_target}" "
export INITRD=No export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get purge -y dropbear dropbear-run || true apt-get purge -y dropbear || true
" "
chroot_script "${var_target}" " chroot_script "${var_target}" "
func/cdi_4300_network/4312_dropbear_setup.sh
+6 -6
View File
@@ -84,17 +84,17 @@ dropbear_setup() {
write_dropbear_conf write_dropbear_conf
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs. ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath" "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath" "${TARGET}/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh"
### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs. ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh" \
"${TARGET}/etc/initramfs-tools/hooks/" "${TARGET}/etc/initramfs-tools/hooks/"
### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment. ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh" \
"${TARGET}/etc/initramfs-tools/hooks/" "${TARGET}/etc/initramfs-tools/hooks/"
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices. ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh → includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh
+5 -2
View File
@@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,7 +16,7 @@
set -e set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m" printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
@@ -137,6 +140,6 @@ install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}" printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m" printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh → includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh
+6 -2
View File
@@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,10 +16,11 @@
set -e set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m" printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in case "${1}" in
prereqs) prereqs; exit 0 ;; prereqs) prereqs; exit 0 ;;
esac esac
@@ -34,6 +38,6 @@ export PS1='$( STATUS=$?; \
fi; ) ' fi; ) '
EOF EOF
printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m" printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh → includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+4
View File
@@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in case "${1}" in
prereqs) prereqs; exit 0 ;; prereqs) prereqs; exit 0 ;;
esac esac
includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh → includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+4
View File
@@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in case "${1}" in
prereqs) prereqs; exit 0 ;; prereqs) prereqs; exit 0 ;;
esac esac
includes/target/etc/ssl/openssl.cnf
+5 -1
View File
@@ -415,8 +415,12 @@ CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA2
# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only: # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ToDo: Update PQC Groups to include P-521 and P-384.
# Prefer strong, widely-supported ECDHE groups (first = most preferred): # Prefer strong, widely-supported ECDHE groups (first = most preferred):
Groups = X448:X25519:P-521:P-384 Groups = X448:P-521:P-384
SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
# Operational flags: # Operational flags:
# -SessionTicket => disable TLS session tickets (TLS 1.2 + 1.3) # -SessionTicket => disable TLS session tickets (TLS 1.2 + 1.3)
includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear
+27 -21
View File
@@ -1,15 +1,18 @@
#!/bin/sh #!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
PREREQ="udev" PREREQ="udev"
prereqs() { prereqs() {
echo "${PREREQ}" echo "${PREREQ}"
} }
# shellcheck disable=SC2249
case "$1" in case "$1" in
prereqs) prereqs)
prereqs prereqs
exit 0 exit 0
;; ;;
esac esac
@@ -18,31 +21,32 @@ esac
run_dropbear() { run_dropbear() {
### CISS.debian.installer ### CISS.debian.installer
### Remove old flags for dropbear version 2025.88-2. ### Remove old flags for dropbear version 2025.88-2.
### Only accepts flags from '/etc/dropbear/dropbear.conf'. ### Only accepts flags from '/etc/dropbear/dropbear.conf'.
#local flags="Fs" #local flags="Fs"
# shellcheck disable=SC2292 # shellcheck disable=SC2034,SC2154,SC2292
[ "${debug}" != y ] || flags="E${flags}" # log to standard error [ "${debug}" != y ] || flags="E${flags}" # log to standard error
# Always run configure_networking() before dropbear(8); on NFS # Always run configure_networking() before dropbear(8); on NFS
# mounts this has been done already # mounts this has been done already
# shellcheck disable=SC2292 # shellcheck disable=SC2292
[ "${BOOT}" = nfs ] || configure_networking [ "${BOOT}" = nfs ] || configure_networking
log_begin_msg "Starting dropbear" log_begin_msg "Starting dropbear"
# Using exec and keeping dropbear in the foreground enables the # Using exec and keeping dropbear in the foreground enables the
# init-bottom script to kill the remaining ipconfig processes if # init-bottom script to kill the remaining ipconfig processes if
# someone unlocks the rootfs from the console while the network is # someone unlocks the rootfs from the console while the network is
# being configured # being configured
exec /sbin/dropbear ${DROPBEAR_OPTIONS-} # shellcheck disable=SC2086
exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
} }
# shellcheck disable=SC2292 # shellcheck disable=SC2292
if [ -e /etc/dropbear/dropbear.conf ]; then if [ -e /etc/dropbear/dropbear.conf ]; then
. /etc/dropbear/dropbear.conf . /etc/dropbear/dropbear.conf
fi fi
. /scripts/functions . /scripts/functions
@@ -57,3 +61,5 @@ fi
run_dropbear & run_dropbear &
echo $! >/run/dropbear.pid echo $! >/run/dropbear.pid
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
lib/cdi_0000_preliminary/0002_usage.sh
+2 -2
View File
@@ -37,9 +37,9 @@ usage() {
declare var_cols=$(tput cols 2> /dev/null || echo 80) declare var_cols=$(tput cols 2> /dev/null || echo 80)
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare var_header=$(center "V8.00.000.2025.06.17 CISS.debian.installer" "${var_cols}") declare var_header=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}")
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare var_footer=$(center "V8.00.000.2025.06.17 CISS.debian.installer" "${var_cols}") declare var_footer=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}")
{ {
echo -e "\e[97m${var_header} \e[0m" echo -e "\e[97m${var_header} \e[0m"
lib/cdi_0000_preliminary/README.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Preliminary Components `cdi_0000_preliminary` # 2. Preliminary Components `cdi_0000_preliminary`
lib/cdi_0005_guard/README.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. Guarding and Safe Execution `cdi_0005_guard` # 2. Guarding and Safe Execution `cdi_0005_guard`
lib/cdi_0050_debug/0052_debug_trace.sh
+1 -1
View File
@@ -25,7 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
debug_trace() { debug_trace() {
### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name ### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m '
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log" declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log"
### Generates empty LOG_TRC ### Generates empty LOG_TRC
upgrades/dropbear/SHA512SUM.asc
+17 -18
View File
@@ -1,24 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265 CHANGES 16be820347723271b0fea6049ffeed6d6680d7429c65406d8af37776393a0250 dropbear-2026.90.tar.bz2
738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d dropbear-2025.87.tar.bz2 594ac6bd51f361890f6bd829bfe1ce92d241e5f8662d595c13a789e31563f5f7 dropbear-2026.90.tar.bz2.asc
af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be dropbear-2025.87.tar.bz2.asc defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34 dropbear-2026.91.tar.bz2
783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 dropbear-2025.88.tar.bz2 26888fbc9cca8ae8026ea754d711edeb5fdbde0a31f897164695bf59035693fb dropbear-2026.91.tar.bz2.asc
fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411 dropbear-2025.88.tar.bz2.asc
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZXsACgkQRJMUlPKc
Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f Z3NxYA//TmgdzpN6Jh8zNCL3cjK9J3IgJWIxgtPnoPDb0GxMt5rSME9uAQLggVut
hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL 310OAJ9CCfVYyCECm9ZpgbaeXPHP02Xx6sccpU7bU3nMa1W+Pu0dea3ToFWGFv5i
IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL 52INS0UGP+R58JJzGlxlwm1oRNXoG3tfJHR7FHof5G0a60jdcxqjW2JfkN4x28kR
Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h RLXCqCWfJOjVMIVVQLsVmjZQlBkXLuykg2rbocqBu2dNH4nOuekDWFUpLXoGm2Zd
HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL OhdFmWGIJfLFybPersLBGSO6LJFhzi5KoloeesaCQ26X2ld8R+cu6rKae2f0zDQi
cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W O63yQIg7Oxr4XUnthziZdYA4karVrUdx97I39xTP9ioYxnEWHSdWk2iwKWsLhrPd
f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH X9TEcsmTMia0RSNqarNlsnXiloWFIRKuxlEBO1SMHG45Fr5mXsPxFLc81acQlGtl
HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i Kvwl3O5vxaa8Qd46EtLJXsNQW09tW0j1yM3JyAoLZs69/N8iB5lk74nYT+jZhI0b
AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS 9/+tfHLRoa+ccJdNfCdfWzCTZpFxG0D6ah6SJY8CgMMvITBT5OfYTR4tvSbt1Sa4
QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z y65YOPB4QabxuaUC6p0JQ57STUX6D8NtvJwpoZUDb6XDovpXsVb3T0di9eKKYQSv
4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI= /TsSRvf57OiCL9u/C5bIV2g0N5pkN9Bsddye0wUqfEdYH/NwXBs=
=/DnI =OTzQ
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
upgrades/dropbear/dropbear-2025.88.tar.bz2
BIN
View File
Binary file not shown.
upgrades/dropbear/dropbear-2025.88.tar.bz2.asc
-16
View File
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
=uS3y
-----END PGP SIGNATURE-----
upgrades/dropbear/dropbear-2026.90.tar.bz2
BIN
View File
Binary file not shown.
upgrades/dropbear/dropbear-2026.90.tar.bz2.asc
+16
View File
@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmn22d8ACgkQRJMUlPKc
Z3Ndlg//Vj21j/hlAIPD0AOAgYYLvudvR2bA1gJBHrlAQB4FQSWWgW+C0xdHks7X
YUkKFhLMMP8twemA2EApfMtEp+YayfN/djiwCTfhrCI2ObTZJZU6FwyKiENviKGo
hH7rFeh1HdSJuU+HExF9bCq+1oGFjhpOKh982R0hasLzKgN2PmF1v/jEqNpibyIc
o7/7xXFGne39xTrwIuvhjl44iCrIKrcqpObt2cHKRx3D5E1b5nz1JriceCQr4zPa
tRBXyvl7Ub/N0xZ0K81LA5cDuP2h5H1W1X0BEVTMi+4vIJhaFfOCZhFp9vjlKuuW
vLhPJWakaLOM2o0PawHW3pVQfq9vOPOGUYcQoSCjgplEsvySbIHS33/nHrPq9ncb
S6kYQnXtNmWOuWoZfUmGNSBItzd9aOWJ/CukhtovJHRCvM9W68GhR4kqNhZpfvhY
NL35NC3IydxvzZUZzW6OvaBzGnAVshILyVnlrGkI9ikc8BJUY6GllcMopD5+vCbt
YYKZhThckaHmtZL4bkyA1v8KN7uVprCKQSgC56lbXD+fr7qM/sjNLmp+UVCnjTuU
XDFnS7dELDZCXweTmxIowwPetaDtnfBPuYWmGtSezG63Zbsv32/UMAy3YCT7vg/V
9dzK0h2/EG6GCZ9UfYj/uYCuvb8HhbVji0fMYbzo1eT4NAJwPpY=
=/+S8
-----END PGP SIGNATURE-----
upgrades/dropbear/dropbear-2026.91.tar.bz2
BIN
View File
Binary file not shown.
upgrades/dropbear/dropbear-2026.91.tar.bz2.asc
+16
View File
@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZREACgkQRJMUlPKc
Z3P87g//ZamgpADh+1CziP9UJ8iiQSi+6lGDcNmkLwNfw1dXA7zAJ2L10uz1We5V
ercshPNSurf/rYCQJIvav1JE2x4oHXAgnzO1pnrIDriBmCa17EJD2udDHImE1A4K
KP6JxeaaZTkPYCQftIh3bj7kyJnjpRIptN41GHLeyfQ9bD/ikpGm7uVVqOv1y08O
Z1pBlZ4IeKrdN7ghHclTTS7+w9nDcYuP62B+KOg7U2oE6+hTfO6PZnHxumUqFlck
iDEOpdjWixp62ju5ad2o+qWsV4QDg5y/smb51ZDIiFkQh3BJKs6qS83ZNBseGdCX
vtfKLBSpH/k28WlIwzNq3xiwD7xLR1niX4IrNFUF71eFZhFt6FAMk7oBhSse86qs
TUUDsssQBAGgNbyRAGSkjBKQ9hdrGXuqV7r8PnDGo+n+EF7pRBJTObM29jshgnjm
CZ8zMu8LB5cCzWJCXUhNX9HqcW4LIDPGI6v24ychxGqLS5ekKHbv7Pr/xguHyVJq
U7HXsUtA43HAXnk1RaVYV3I9CzLinJ9Cs3sNBRpcIEKQfpYXTDL58lEg/mJRloqC
EIBgb9pB8EvFbIz3mbOayvrLnMzmyL1ujsc1CYUcEti1MV6IrgOjGxi/kUrcrZaQ
1kPA/eRcG1iRpyYk19/cD1JyI477HRnRQDeqMPRO9VTeCMOXO2s=
=PPW+
-----END PGP SIGNATURE-----
upgrades/dropbear/localoptions.h
+4 -4
View File
@@ -1,12 +1,12 @@
/* # SPDX-Version: 3.0 */ /* # SPDX-Version: 3.0 */
/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */ /* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev> */
/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */ /* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */
/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */ /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */ /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
/* # SPDX-FileType: SOURCE */ /* # SPDX-FileType: SOURCE */
/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */ /* # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 */
/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */ /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
/* # SPDX-PackageName: CISS.debian.installer */ /* # SPDX-PackageName: CISS.debian.live.builder */
/* # SPDX-Security-Contact: security@coresecret.eu */ /* # SPDX-Security-Contact: security@coresecret.eu */
#ifndef DROPBEAR_LOCALOPTIONS_H_ #ifndef DROPBEAR_LOCALOPTIONS_H_
upgrades/linux-image/linux_image_clang_options.sh
+2
View File
@@ -10,6 +10,8 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# ToDo: Update to the latest Kernel Version.
### https://kspp.github.io/ ### https://kspp.github.io/
set -o errexit set -o errexit
upgrades/secure-boot/ciss-sb-pki.cnf
+4 -4
View File
@@ -9,6 +9,8 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# ToDo: Update to the latest version of the CISS PKI.
# Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault. # Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault.
# #
# The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the # The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the
@@ -87,7 +89,7 @@ clearance_max = 64
serialNumber = QSCD Serial Number serialNumber = QSCD Serial Number
serialNumber_max = 64 serialNumber_max = 64
############################### = 1234567890123456789012345678901234567890123456789012345678901234 ############################### = 1234567890123456789012345678901234567890123456789012345678901234
commonName_default = CISS Secure Boot Root CA 2025 RSA 4096 commonName_default = CISS Secure Boot Root CA 2026 RSA 4096
organizationName_default = Centurion Intelligence Consulting Agency organizationName_default = Centurion Intelligence Consulting Agency
organizationalUnitName_default = CISO organizationalUnitName_default = CISO
organizationIdentifier_default = VATPT-307086887 organizationIdentifier_default = VATPT-307086887
@@ -104,7 +106,7 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer authorityKeyIdentifier = keyid:always,issuer
authorityInfoAccess = @ciss_sb_pki authorityInfoAccess = @ciss_sb_pki
certificatePolicies = 2.5.29.32.0, @ciss_sb_policy certificatePolicies = 2.5.29.32.0, @ciss_sb_policy
nsComment = "CISS Secure Boot Root CA 2025 RSA 4096" nsComment = "CISS Secure Boot Root CA 2026 RSA 4096"
[ v3_pk ] [ v3_pk ]
basicConstraints = critical, CA:true, pathlen:0 basicConstraints = critical, CA:true, pathlen:0
@@ -147,6 +149,4 @@ CPS.0 = "https://policy.quantumsign.eu/"
fullname = URI:https://crl.quantumign.eu/ fullname = URI:https://crl.quantumign.eu/
reasons = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise reasons = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
var/README/README_BASH_VAR.md
+2 -2
View File
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br> *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br> **Master Version**: 9.00<br>
**Build**: V8.00.000.2025.06.17<br> **Build**: V9.14.000.2026.06.07<br>
# 2. [bash.var.sh](../bash.var.sh) # 2. [bash.var.sh](../bash.var.sh)
This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very
var/early.var.sh
+1 -1
View File
@@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
declare -grx VAR_CONTACT="security@coresecret.eu" declare -grx VAR_CONTACT="security@coresecret.eu"
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_DS_VER="$(debootstrap --version)" declare -grx VAR_DS_VER="$(debootstrap --version)"
declare -grx VAR_VERSION="Master V8.00.000.2025.06.17" declare -grx VAR_VERSION="Master V9.14.000.2026.06.07"
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_SYSTEM="$(uname -mnosv)" declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_ARG_SANITIZED="" declare -gx VAR_ARG_SANITIZED=""